CVE-2021-29922

CWE-20Improper Input Validation6 documents6 sources
Severity
9.1CRITICAL
EPSS
0.3%
top 44.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Rust-lang Rust
Timeline
PublishedAug 7
Latest updateMay 24

Description

library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

NVDrust-lang/rust< 1.53.0
Debianrustc< 1.53.0+dfsg1-1+2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-g9v3-gh27-qjh3: library/std/src/net/parser2022-05-24
OSV
CVE-2021-29922: library/std/src/net/parser2021-08-07
CVEList
CVE-2021-29922: library/std/src/net/parser2021-08-07

📋Vendor Advisories

2
Red Hat
rust: incorrect parsing of extraneous zero characters at the beginning of an IP address string2021-03-29
Debian
CVE-2021-29922: rustc - library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider e...2021
CVE-2021-29922 (CRITICAL CVSS 9.1) | library/std/src/net/parser.rs in Ru | cvebase.io